Q&A: KnowBe4’s Social Engineering Experts On Evolving Phishing Threats & Building a Robust Security Culture

Phishing has long been a top challenge for organizations, but generative AI and deepfake technologies are changing the game. It’s now easier, faster, and more cost effective for attackers to send sophistication phishing emails at scale than ever before.

Roger Grimes, Data-Driven Defense Evangelist, and Javvad Malik, Lead Security Awareness Advocate at KnowBe4, told Expert Insights that attackers are leveraging multiple channels and advanced AI tools to deceive users, amplifying the risk of compromise.

“Social engineering accounts for 70 to 90% of all successful hacking,” explains Grimes. “Phishing attacks are expanding beyond email to channels like SMS, voice calls, and even social media, making a robust culture of security awareness more critical than ever.”

In this Q&A, Grimes and Malik discuss how organizations can address the evolving phishing threat landscape, and what CISOs should prioritize to build resilience in 2025 and beyond.

Q. What are the biggest challenges for customers in the phishing space today and how are threats evolving?

Roger: A few things: First, organizations need to make sure they are addressing all aspects of human risk and not just training. The organization ultimately wants to change its culture so that everyone is making the right decisions and taking the right actions almost without thinking about it. When new employees start, they see all their coworkers doing safe behaviors, like locking their laptop screens, not clicking on links before examining, and so on.

The top level of cybersecurity maturity for any organization is changing its culture to one where they are just making the right security decisions without thinking about it much. Like how we all hold our kids’ hands as they start crossing the street and teaching them to look both ways…and after a lot of practice, it just becomes second nature to the kid. And when they become a parent, they teach it to their kids, and so on.

Social engineering is responsible for 70% to 90% of all successful hacking, and most of that is email phishing. The number of ways someone can be phished is dramatically increasing beyond email and web to SMS, WhatsApp, phone calls, paper mail and in-person.

The key is to teach everyone to have a healthy level of skepticism, no matter how the message arrives, whether it arrives unexpectedly and asks them to do something they have never done (at least for that requestor). Any message with those two traits is a high-risk message than one that does not. So, teach everyone to have that healthy level of skepticism and if they get a high-risk message, investigate it before performing the requested actions.

A big challenge for many customers is just getting the right level of senior management support to do security awareness training effectively, which means training at least monthly and doing simulated phishing tests at least monthly, if not more often.

Javvad: Some of the biggest challenges are around how criminals are using a variety of channels to amplify their attacks. Layering a phishing email with an SMS, a voice message, or a social media direct message can all add to credibility and cause someone to fall victim. 

We are also seeing an increase in specific corporate brands being impersonated as well as the increased use of AI tools to launch more convincing attacks.

Q. How does the KnowBe4 platform help teams address these challenges, and how do you differentiate yourselves from competitors?

Roger: A lot of ways, starting with we have far more great content than any of our competitors. Most competitors have just a few content creators. We have many dozens of people, many with master’s and PhDs in digital content and education. I think that comes through in our content. Our “Inside Man” content has Hollywood production values. It’s like a Netflix series. We have many customers asking us when the next episode will be released. Imagine customers asking for more training!

Our content is often the first to cover the most pressing topics. You won’t find a vendor who has covered MFA and made sure customers use PHISHING-RESISTANT MFA more than us. You won’t find a vendor covering strong passwords like we do, password managers, SMS phishing, voice call phishing, business email compromise scams, call back phishing, notification phishing, AI-deepfakes and so on. We follow the hacker phishing industry very closely, and when we see a trend, we develop multiple pieces of content around it and get it out to our customers. We even do education on the threat of quantum computers against today’s cryptography and how they need to prepare. I challenge you to find a training vendor that also covers that topic. We do a lot of thought leadership in our industry. We have many firsts.

We are very easy to set up and get running. The average customer can get up and running in two hours. After that, if they want, they can let our AI-enabled intelligent agents take over and respond with the different types of content and testing that their co-workers need.

No one has as many features and functionality as we do. 

Javvad: KnowBe4 is the world’s largest and most comprehensive human risk management platform which is focused on helping people make better decisions. Its extensive suite of training material is designed to resonate with users at all levels and of all interests. With content ranging from short nudges to extensive training modules.

What sets KnowBe4 apart is its relentless focus on humans and the adaptive approach it has to training and leveraging AI to tailor and deliver simulated phishing, and training to the right users, at the right time, when they need it the most to ensure awareness is both relevant and engaging.

This is enhanced by tools which can help the SOC investigate and respond to phishing attacks and a detailed analytical framework that can help measure risk at an individual, departmental, or organizational level to ensure a strong security culture is upheld. 

Q. What are your top recommendations for CISOs in the process of looking for a phishing/security awareness training solution?

Roger: Make sure the solution embraces all of human risk management, from culture to individual, customized feedback on down. Security awareness training is a big part of the solution, but only part of it. You have to use every tool, technical and educational, to decrease human risk. For example, a huge mistake many employees make is in visiting inappropriate websites, which are more likely to contain malware.

You not only want to teach and educate about it, but you also need tools to help do site content-filtering and teach right away when a user makes a mistake and goes to a bad website. We have a tool called Security Coach that, when told by your content filtering system that an employee went to a bad website, sends a message immediately to the employee, shows them company policy, and educates them about why it’s important not to do it. The closer you can do the coaching to the violation, the better the lesson will stick.

Javvad: Firstly, look beyond the veneer of features. The core of a sound phishing and security awareness program is its ability to engage and resonate with employees. Assess potential offerings not only on their technological merits but on how effectively they can change behavior and culture within your organization.

Secondly, demand adaptability. The threat landscape is perpetually in flux, necessitating an offering that evolves with emerging threats. A product should offer customization that allows your organization to simulate relevant phishing scenarios, gauging and enhancing your team’s resilience against them.

Lastly, seek offerings that offer comprehensive reporting capabilities. If you are unable to tangibly measure the impact of a training program, you will struggle to justify the investment and ROI.

Q. What trends do you expect to see in the phishing space in 2025?

Roger: Certainly, we expect to see a big increase in attackers using AI-enabled deepfake technologies to perform better scams. On the other hand, we have been using AI for over six years to fight attacker scams, and that will just continue to ramp up in 2025. We see AI actually being a tool that, for the first time, may be more beneficial in the defender’s hands than the attacker’s.

Javvad: In all likelihood phishing attacks will become even more personalized and sophisticated, leveraging artificial intelligence to craft messages that are remarkably convincing. Additionally, the integration of deepfake technology may lead to the emergence of exceptionally believable phishing attempts through counterfeit audio and video elements, making the detection of such frauds increasingly challenging for the untrained eye.

Q. In your view, what should organizations’ top phishing planning priorities for 2025 be?

Roger: Start with doing the basics better. Make sure you train at least once a month and do simulated phishing tests at least once a month, if not more. That is the bare minimum. If you are not there, get there. Second, start to educate employees about the threat of deepfakes and what that means to them, and the attacks they face. Third, help your organization get to phishing-resistant MFA if they aren’t using phishing-resistant MFA.

That’s one of the best things any organization can do after effective training. I don’t like to make a lot of priorities because, frankly, if most organizations had the time and resources to complete one or two in a given year, that’s a huge win!

Javvad: Organizations must prioritize building a culture of security awareness, where vigilance is ingrained in every employee, from the boardroom to the break room. Investing in continuous, adaptive training programs that evolve with the threat landscape is non-negotiable. Additionally, implementing robust incident response plans that can swiftly and effectively mitigate the impact of a successful phishing attack will be crucial.

Organizations should also embrace advanced security technologies such as AI and machine learning for predictive threat detection and response. Above all, fostering a transparent environment where employees feel empowered to report potential threats without fear of retribution will be key to staying ahead of attackers.

Further reading

• Read our guide to the Top 11 Phishing Protection Solutions.